Event Search

News in a Minute Weekly Roundup | Dec. 8

December 08, 2017

By Marcos Colón

A roundup of the top news stories in information security this week, including the UK warning its government agencies to steer clear of Kaspersky Lab products, PayPal dealing with a data breach, and NIST's latest Cybersecurity Framework draft.

INFOSEC INDUSTRY

UK Government Agencies Warned Off Kaspersky Lab Software

The controversy surrounding Kaspersky Lab products continues as the UK is warning its government agencies to steer clear of the Russian company’s products. The UK’s National Cyber Security Centre issued new guidance on risks presented by “cloud-enabled products.” However, in a separate letter penned by NCSC CEO Ciaran Martin, he warned of “Russian antivirus companies” and how the agencies must be “vigilant to the risk that an [antivirus] product under the control of a hostile actor could extract sensitive data.”

Company Acquired by PayPal May Have Experienced Breach Impacting 1.6 Million

A payment processing firm acquired by PayPal in July has disclosed a security incident that may have resulted in the compromised personal information of up to 1.6 million of its customers. TIO Networks announced in November that operations would be suspended after PayPal discovered security flaws on its platform and data security issues that didn’t meet PayPal’s information security standards. Last week the company, which was acquired by PayPal for $238 million, admitted to the security event.

An ex-NSA employee pleaded guilty to illegally removing sensitive government data from his former employer. Nghia Hoang Pho, 67, pleaded guilty on Friday to a charge of willful retention of national defense information in connection with an NSA leak. Pho stored the information in his home over a period of five years.

A proof of concept (PoC) attack developed by researchers at Check Point Security could impact users of integrated development environments like Intellij, Eclipse and Android Studio. Dubbed ParseDroid, researchers said, “the vulnerabilities in question are the developer tools, both downloadable and cloud-bred, that the Android application ecosystem, the largest application community in the world, is using.”

Thanks to an unprotected database, the personal information belonging to 31 million users of a virtual keyboard app may have been compromised. The app’s developer failed to secure the database’s server, allowing anyone to access the company’s database of user records. The database only contains records on the app’s Android users.

Flaws Found in Email Client Applications Allow for Spoofed Emails to Bypass DMARC

Hackers can bypass anti-spoofing mechanisms such as DMARC if they leverage a collection of flaws recently discovered in email client applications. German security expert Sabri Haddouche found the group of vulnerabilities, dubbed Mailspoit. To bypass DMARC, the exploit takes advantage of how the email sender’s name is displayed.

This week the National Institute of Standards and Technology (NIST) released the second draft of its proposed national Cybersecurity Framework of 2014. The continuously evolving document includes some significant changes to its existing guidelines which impact self-assessment of cybersecurity risk and also features new guidelines tied to authorization, authentication, identity proofing, and more.

An emergency security fix was issued by TeamViewer to address a vulnerability that allowed attackers to compromise PCs through its desktop sessions. The popular desktop sharing software is used by organizations to host online meetings and conferences. Discovered by Reddit user xployt, the user warned other Redditors of the flaw on Monday.

As MISTI’s content marketing lead, Marcos spearheads the brand’s content marketing strategy, implementing a process to deliver high-quality insight to information security and internal audit professionals. Prior to working with MISTI, he served as the online editor for the award-winning SC Magazine, a prominent B2B IT security publication. He also served as a senior editor at NewsCred, a prominent content marketing agency, where he provided content strategy guidance for leading brands that include Discover, IBM, Visa and Bloomberg.

MISTI Newsletters

Quick Links

MIS Training Institute is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.